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‘The Legislative Audit Committee 
of the Montana State Legislature: 


We conducted an Information Systems audit of Banner which is maintained and 
operated by Montana State University-Bozeman to assist in the administration of 
financial, human resource, student, and financial aid records. The intent of the Banner 
audit was to identify and test key controls over the Finance, Financial Aid, and Human 
Resource modules to ensure the modules operate as intended. This report outlines our 


findings and conclusions from our review. 


We wish to express our appreciation to Montana State University—Bozeman for their 


cooperation and assistance. 


Respectfully submitted, 
/s/ Tori Hunthausen 


Tori Hunthausen, CPA 
Legislative Auditor 
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REPORT SUMMARY 


Banner: Administrative Services System 


The Banner system is used by Montana State University-Bozeman (MSU) to assist in 
the administration of financial, human resource, student, and financial aid records. 
Banner consists of baseline functionality, as delivered by a third party vendor, and 
customized functionality through modifications developed by MSU. Banner is 
maintained by MSU departments responsible for data (Financial Aid, Registrars Office, 
etc) with hardware and modification support being handled by MSU’s Information 
Technology Center. 


The Banner system consists of four modules: 


¢ Finance — manages MSU financial data including budget, accounts, ledgers, 
purchases, and payments. 


¢ Human Resources — manages MSU employment information and payroll 
processing including job and employee information, taxes, benefits, and 
deductions. 


¢ Student Services —- manages MSU student academic information including 
admissions, class registration, course information, rosters, grading, and 
enrollment status of students. 


¢ Financial Aid — manages the MSU student financial aid process from the 
receipt of the student’s financial aid form through needs assessment and 
award issuance. 


To help determine system risks, we reviewed system processes and changes, and 
considered prior audit testing and Banner delivered functionality. This audit focused 
on high risk areas of the Finance and Financial Aid modules, including system modifi- 
cations. The audit also addressed limited areas within the Human Resources module. 
Audit work addressed the following objectives: 


¢ — Ensure access to select Banner functionality is limited to users with identified 
business needs 


¢ — Review controls over Banner modifications 


¢ Ensure select Banner processing controls function as intended 


This report discusses the work performed during this audit, including findings and 
recommendations. Overall, we conclude MSU has controls in place over the audited 
areas. However, we did identify areas where MSU could improve. This report contains 
two recommendations for MSU to strengthen user access controls to ensure access 
is segregated by job duties and needs, and strengthen controls over the use of a code 
migration account to increase individual accountability. 
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Chapter | — Introduction and Background 


Introduction 


Information Systems auditors conducted an audit over controls residing within the 
Banner system at Montana State University-Bozeman (MSU). The intent of the 
Banner audit is to identify and test key controls over the application to ensure the 
system is operating as intended. In addition to this report, we provided an internal 
memorandum to Legislative Audit Division staff providing detailed control infor- 
mation to consider during other audit work. 


Background 


The Banner system is used by MSU to assist in the administration of financial, human 
resource, student, and financial aid records. Banner consists of baseline functionality 
as delivered by a third-party vendor, and customized functionality through modifica- 
tions developed by MSU. Banner data is maintained by MSU departments (Financial 
Aid, Registrars Office, etc.) with hardware and modification support by MSU’s 
Information Technology Center. 


Banner consists of four modules: Finance, Human Resources, Student Services, and 
Financial Aid. Within each module are subsystems providing different functionality 


to Banner users. 


The Finance module manages MSU financial data including budgets, accounts, ledgers, 
purchases and payments. It includes the following subsystems and functionality: 


¢ Accounts Payable — processes invoices, maintains vendor data, calculates 
discount and payment schedules, and manages tax disbursements 


¢ Purchasing — manages both immediate purchases and purchases requiring a 


bid process 


¢ Accounts Receivable — maintains charge and payment information for 
individual accounts, including student accounts 


¢ Budgeting — manages MSU’s yearly operating budgets 
¢ — Posting — moves transactions from all functions into MSU ledgers 


¢ Fixed Assets Management — maintains assets over $5,000 


The Human Resources module manages MSU employment information and payroll 
processing including job and employee information, taxes, benefits, and deductions. It 
includes the following subsystems and functionality: 


¢ Employment — manages employee information, job profiles, and benefit 
information 
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¢ — Payroll — manages time entry, approval and payroll process 


The Student Services module manages student academic information including admis- 
sions, class registration, course information, rosters, grading, and enrollment status of 
students. It includes the following subsystems and functionality: 


¢ Admissions — tracks potential students and manages student admissions 


¢ Registration — manages student registration and grades 


The Financial Aid module manages the student financial aid process from the receipt 
of the student’s financial aid form through needs assessment and award issuance. It 
includes the following subsystems and functionality: 


¢ Financial Aid Drawdown — processes U.S. Department of Education’s 
download of federal financial aid forms for integration into Banner 


¢ Tracking — tracks student eligibility for receiving financial aid 
¢ Budgeting — calculates the cost of attendance and student financial need 
¢ Packaging — manages the financial aid award process 


Additionally, Banner financial data is transferred to the Statewide Accounting, 
Budgeting, and Human Resources System (SABHRS). 


Audit Objectives 
This Information Systems audit addressed the following objectives: 


1. Ensure access to select Banner functionality is limited to users with identified 
business needs 


Review controls over Banner modifications 


Ensure select Banner processing controls function as intended 


Scope and Methodology 


To help determine system risks, we reviewed system processes and changes, and 
considered prior audit testing and Banner delivered functionality. This audit focused 
on high risk areas of the Finance and Financial Aid modules, including system modifi- 
cations. The audit also addressed limited areas within the Human Resources module. 


Audit methodologies included interview of staff, query and analysis of Banner data, 
and observation of Banner and MSU staff operations. We evaluated the control 
environment using Board of Regents policy, Banner User Guides, MSU security policy, 
federal law, and industry accepted information technology standards established by the 
IT Governance Institute and the National Institute of Standards and Technology. The 
audit was conducted in accordance with Government Auditing Standards published 
by the United States Government Accountability Office (GAO). 


Management Memorandum 


During the course of our audit, we identified the following area warranting management 
attention: 
Verification — Verification flags prevent a student’s financial aid form from 
being processed for financial aid eligibility. The flags can be manually removed; 


however, minimal monitoring of flag removal occurs, so monitoring could be 
strengthened. 


Although not included as a recommendation in this report, our suggestion was 
presented to MSU for its consideration. 
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Chapter II —- Select Banner Access 


Who Can Access University Information? 


Automated systems store one of an organization’s most valuable assets—data. These 
systems are often critical in supporting the organization’s functionality. In order to 
protect the system and data from unauthorized activity, access should be controlled. 
Controlling access allows employees to complete assigned job responsibilities while 
inhibiting misuse of confidential information. Montana State University-Bozeman 
(MSU) relies on user access controls in all modules of Banner. In order to obtain access 
within Banner, a user must complete a Banner Account Request form and obtain 
necessary approval, including each module’s team lead and manager. ‘The forms are 
then routed to Banner security personnel for access assignment. To satisfy our first 
objective, we reviewed specific user access in the Finance, Financial Aid (FA) and 
Human Resources (HR) modules. 


Finance Module 


Vendor Data 


In order to make payments on purchases, Banner requires vendor information and 
an invoice to be created and approved. Since vendor payments are generated using 
information stored in Banner, access to vendor data should be controlled to prevent 
unauthorized changes. To ensure vendor data access is limited to users commensurate 
with job responsibilities, we queried Banner to obtain a list of users with rights to add 
or modify vendor data and compared the results with information from the MSU 
Banner Finance Team Lead. We determined access to vendor data is limited to users 
with an identified business need. 


Invoice Creation 


Invoices are manually entered into Banner by Accounts Payable (AP) staff in Business 
Services. Invoice creation includes adding or updating vendor information. Once 
created, each invoice is to be approved prior to payment; if not approved, the invoice is 
not paid. Any individual having access to update vendor data and create and approve 
invoices has the ability to create their own payments. To ensure controls prevent any 
individual from having access to all three functions, we queried Banner for a list of 
individuals with the ability to enter and approve invoices and compared the results 
with the list of individuals having update access to vendor data. We determined nine 
individuals could perform all three functions; however, we confirmed AP management 
performs daily reviews of both vendor updates and invoice creations to ensure all 


invoices are authorized. 
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Student Fees 


Banner’s Accounts Receivable (AR) subsystem tracks all MSU customer accounts 
and is used to enter incoming funds into Banner. For student accounts, funds can 
be credited as direct payments such as cash and checks paid on an existing account 
for items like tuition and fees, as well as room and board. Payments can also come 
in the form of credit card payments, financial aid credits, and refunds or credits. For 
nonstudent accounts, funds are credited much the same way using a vendor ID, agency 
ID, etc. Student fees are generally managed by the Student Accounts Receivable staff 
in Business Services, while nonstudent fees are managed by different staff in the same 
office. Since student fees make up the majority of AR transactions, we reviewed AR 
staff access to change or remove student fees. We queried Banner for a list of individuals 
with the ability to update student fees and compared the results with the Banner 
Finance Team Lead’s assertion of staff with the job requirement to update student fees. 
All individuals matched, indicating MSU staff with access rights to remove student 
fees have an identified business need. 


Financial Aid Module 


Satisfactory Academic Progress 


To receive federal financial aid, U.S. Department of Education (DOE) regulations 
require students to meet both a quantitative and qualitative measurement called 
Satisfactory Academic Progress (SAP). MSU mandates students meet three SAP 
requirements to receive financial aid: 


¢ Cumulative credits pass rate: MSU students must pass at least 67 percent of 
the cumulative credits attempted in their degree. 


¢ Maximum credit hours: students must not exceed the number of credits 
required to obtain their degree (for example, 180 credits for an undergraduate 


degree). 


¢ GPA: MSU mandates undergraduate students carry a cumulative GPA of 
2.0, and graduate students carry a cumulative GPA of 3.0. 


Students not meeting all three requirements will be considered ineligible for financial 
aid. The University monitors student progress and relies on Banner to determine SAP 
violations based on MSU policy entered in the system. Ifa student does not meet any 
of the SAP requirements, Banner flags the student account preventing any further 
processing of financial aid eligibility. However, SAP flags can be manually changed. 
For example, when a student with a flagged record appeals and MSU decides mitigating 
circumstances caused the student not to meet SAP, the flag will be removed. Manual 
flag changes can also occur when nonfederal financial aid adjustments need to be 
made. For example, if work study amounts need to be changed, the flag is removed, 
adjustments are made, and the flag reinstated. 


We reviewed who can change SAP flags, if all SAP flag changes between 
January 1, 2008 and October 1, 2009, (corresponds with semester end dates) were 
made by authorized individuals, and if SAP flag changes are monitored. Management 
provided us a list of individuals with the need to remove or change the SAP flag and 
we compared it to a list of individuals obtained through query of Banner. We also 
compared a list of who made SAP flag changes in Banner between January 1, 2008, 
and October 1, 2009, with the list of individuals with the need to remove or change 
the SAP flag. In both comparisons, we determined only authorized individuals have 
access to change the SAP flag. We also interviewed FA management and reviewed 
Banner reports and determined management reviews SAP flag changes on a semester 
basis. 


Verification 


Banner's financial aid process begins with importing financial aid forms from DOE. 
Generally, DOE requires universities to verify a percentage of the forms to ensure 
students are completely and accurately filling out the forms. To ensure this occurs, 
DOE flags a sample of up to 30 percent of financial aid forms for verification. 
However, MSU is rated as a “quality assurance” school by DOE, allowing MSU to 
create its own verification rules. The rules are created by the FA director and staff, and 
the FA system analyst enters the rules into Banner. Banner compares the rules with 
student records and flags any record requiring verification (meeting the rules). Once 
a student’s financial aid record is flagged, FA evaluators send a letter to the student 
with details on what information must be submitted for verification. We reviewed 
access to modify verification rules in Banner to determine it is limited to users with 
an identified business need. Our work compared a list, from Banner, of individuals 
with access to change MSU verification rules with FA management’s assertion of who 
should have access. We determined all users with access to change the rules have an 
identified business need. 


Once FA evaluators receive verification information, they compare it to the financial 
aid form; if everything matches, verification is marked as complete, the flag is removed, 
and the form will continue being processed. We reviewed access to determine if rights 
to mark verification as complete are limited to individuals with a business need. Our 
work compared a list, from Banner, of individuals with access to mark verification 
as complete with FA management’s assertion of who should have access. Both lists 
matched. As a result, access to mark verification as complete is limited to individuals 
with a business need. 


Cost of Attendance 


Key to determining student financial aid need is the base Cost of Attendance (COA). 
The COA is a calculation of how much it will cost a student to attend MSU, depending 
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on student status. Banner compares the COA to student resources (income, Pell 
Grants, fee waivers, etc.) with the difference being the student's financial aid need. ‘The 
FA Director and staff initially determine the base COA, which is manually entered 
into Banner. However, additional COA is applied where additional costs are identified. 
For example, if the base COA for a full-time student is $1,700 a semester, but books 
will cost an additional $700, the new total COA is changed to $2,400. However, 
when the addition is made, the base COA ($1,700) is not changed. To determine if 
the ability to change the base COA is limited to individuals with a business need, we 
reviewed a list, from Banner, of individuals with access to change the COA. Our work 
identified 11 individuals with the ability to change the COA, and FA management 
verified a business need for all 11. However, they can only add to the base COA, not 
change it. We also noted changes to the base COA would cause a recalculation of all 
student financial aid eligibility, which, through reporting, would elevate management's 
awareness of unauthorized base COA changes. To ensure these controls prevented the 
COA for school year 2009-10 from being changed, we compared the COA in Banner 
to the calculated COA and determined the rates are the same. 


ee —_E aaa 
CONCLUSION 

Based on audit work, we conclude access to select Banner Finance and 
Financial Aid functionality is limited to users with identified business needs. 


Human Resources Module 


HR staff is responsible for entering all employee data into Banner, as well as processing 
payroll. Industry best practices suggest job duties be segregated to prevent any single 
individual from subverting critical processes. Furthermore, user access should only be 
allowed to accomplish assigned tasks in accordance with business functions. As such, 
the ability to create an employee or job position and enter time in Banner should be 
segregated to prevent a single MSU employee from being able to create and pay an 
individual. 


Payroll 


In order for a user to create and pay employees in Banner, update access to four different 
forms is required. In addition, they must have specific security access to generate an 
employee ID. We queried Banner to determine if any individual user had both update 
access to all four forms and the security access. Our analysis identified one individual 
with both types of access, and an additional individual with access to all four forms 
and the ability to give themself the security access. Although MSU has segregated HR 
and payroll business processes, our work determined they have not fully segregated 


HR and payroll job duties within Banner. This level of access would allow these users 
to potentially create and pay fictitious employees. We spoke with business function 
representatives to determine the reason for granting this access. These representatives 
were unaware of the lack of segregation of duties within Banner. 


Time Entry 


MSU has two methods of entering employee time: through a Banner time entry form, 
and through a web time entry portal. The main difference between the two methods is 
web time entry requires supervisor approval before time can be processed for payment. 
At the time of the audit, only MSU payroll staff entered time through the web portal. 


Industry best practices suggest a segregation of duties should exist preventing any 
individual not having time entry responsibilities from being able to enter time in 
Banner. We reviewed access to the Banner time entry form to determine if it is limited 
to individuals with a business need. We queried Banner to identify everyone with 
access to the time entry form and compared the results to HR management’s assertion 
of who should have access. Our analysis identified an IT administrator with access 
to the form; however, this access was not reflective of their job duties. As a result, a 
lack of segregation of job duties existed, potentially allowing the entry of unapproved 
time. Business function representatives were unaware of this lack of segregation of 
duties. We also queried Banner to ensure users with access to modify time were not 
modifying their own time. Query results indicated no one had entered their own time. 


Access Review 


Subsequent to our identification of the above segregation of duties issues, MSU 
personnel conducted further review of Banner access. In its review, MSU identified 
personnel who were aware of the segregation of duties and obtained reasons for granting 
access. For payroll, permanent access was granted for backup purposes. However, 
backup responsibilities are temporary in nature, so permanent access is not needed. For 
time entry, existing access for a position was transferred to a new employee. According 
to MSU, this access was not required and has been revoked. 


MSU has established Banner security administration procedures referencing user 
access. While an intent of the procedures is to ensure continual review of Banner 
access, they do not provide clear and detailed guidance on specific procedures to follow 
and personnel to notify. While some MSU personnel were aware of the access issues 
we identified, personnel within the related business functions were not aware of these 
situations. As a result, current practice does not ensure existing access is assigned and 
communicated according to business need. 
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RECOMMENDATION #1 


We recommend Montana State University-Bozeman strengthen user access 
controls to ensure access is segregated per job duties and need. 


To 


Chapter III - Select Banner Modification 


How Has Banner Changed? 


Banner is a commercial-off-the-shelf system. When a system such as Banner is imple- 
mented, system functionality is considered delivered, or baseline. However, the system 
may not perform as expected or needed by the implementing organization, thus 
requiring system modification. To ensure modifications operate as intended and do not 
have adverse impact, Montana State University-Bozeman (MSU) has implemented 
change control procedures to request, develop, test, and implement modifications to 
Banner functionality. To address our second objective, we reviewed modifications to 
Banner’s Finance and Financial Aid modules to answer the following questions: 


¢ Was Banner baseline functionality changed? 
¢ — Ifso, does Banner still function as MSU intends? 


¢ Did modifications follow MSU’s change control procedures? 


We determined MSU only modified Banner Finance. As a result, our system 


modification review was limited to Banner’s Finance module. 


Finance Module 


Modifications and Change Management 


MSU modified Banner’s Finance baseline functionality four times since the last MSU 
Banner audit (July 2007). After reviewing the modifications, we determined the 
following functionality was affected: 


1. Access in a specific Banner form to change email addresses was removed 
2. Ability to review MSU purchasing card accounts was restricted 


3. Accounts Receivable database search methods were changed allowing faster 
database searching 


4, Adescription field in a Banner form was changed to allow specific information 


Although the modifications affected Banner baseline processing, our review indicated 
system functionality remained as expected. 


In order to implement a modification in a controlled and coordinated manner, a 
change control process should be implemented and followed. Furthermore, a change 
control process reduces the possibility that unnecessary or unauthorized changes will 
occur. Typical goals of a change control process include minimal disruption to services 
and cost-effective use of resources involved in implementing change. MSU’s Banner 
baseline change control process begins with development of a Banner modification 
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proposal which contains details on the modification such as a description, contact 
person, resource cost, and security implications. The proposal is reviewed by a 
committee comprised of the Banner module team leads as well as user groups, and the 
Chief Information Officer of each MSU campus. Once approved, the proposal must 
also be approved and ratified by two other committees before modification work can 
begin. The modification is then developed, tested, and accepted. We verified the four 
modifications followed MSU’s change management process. 


ea 
CONCLUSION 


Based on audit work, MSU has modified Banner’s baseline functionality; 
however, system functionality remained as expected. Furthermore, modifica- 
tions reviewed followed MSU’s change management process. 


Generic Access 


Once a Banner modification has been developed, tested, and accepted, it is ready to 
be moved (migrated) into the production environment. The migration process involves 
moving the modification programming code into a specific location (directory) effec- 
tively allowing Banner to operate using the newly developed code. 


A key control preventing unauthorized code from being migrated to production relies 
on who has access to move code into the directory. We obtained a list of accounts 
with access to Banner’s production code directory and determined it was limited to 
one account. However, the account’s username and password is not limited to a single 
individual. This allows any of four IT staff to perform code migrations without the 
ability to identify which individual migrated the code. Thus, unauthorized code could 
be migrated into Banner without individual accountability, as suggested by industry 
best practices. Further work determined use of this generic account is required due to 
system design. While the use of this generic account is monitored by MSU staff not 
involved in the migration process, the monitoring does not ensure individual account- 
ability. Additional controls could be implemented to limit access to the account and 
improve monitoring. For example, the password is currently shared by the four IT 
staff, but could be secured and managed by individuals not in the same department. 
In addition, account access could be restricted to a single individual, with additional 
business needs, such as backup individuals, being granted temporary access only when 
needed. Policy could also be developed identifying when and to whom the password 
can be revealed, as well as requiring notification to system administrators when use of 
the account will require more than one individual. 


ee 
RECOMMENDATION #2 
We recommend Montana State University—Bozeman strengthen controls 


over use of the generic code migration account to ensure increased individual 
accountability. 


SC 
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Chapter IV — Banner Processing Controls 


How Does Banner Process Data? 


Montana State University-Bozeman (MSU) maintains data and information from 
students, vendors, employees, etc. To be usable, the data and information must be 
stored in a structured fashion. To do this, the system performs mathematical and logical 
operations, or processes, on the data. Processing controls ensure Banner functions as 
expected and operates in accordance with guidelines such as state and federal law. To 
address our third objective, we reviewed specific Banner processing controls to ensure 
operations occur as expected. 


Finance Module 


Cashier Session 


As mentioned in Chapter II, Banner’s Accounts Receivable (AR) subsystem tracks all 
University customer accounts and is used to enter incoming funds. In order to enter 
payments into Banner, a “cashier session” is created and assigned to the individual 
making the payment. Any transactions recorded during a specific cashier session will 
then be included within the session and tracked by the session number. At any time, 
the session can be closed by the cashier. Once closed, management approves (finalizes) 
the session in Banner allowing the transactions to be posted to related journals such as 


the General Ledger. 


We performed the following work to determine the cashier sessions operate as expected. 


1. We observed AR cashiers sign into Banner, noting Banner automatically 
assigned each cashier their own session number. 


2. As the cashiers recorded transactions, we observed Banner automatically 
assign the cashier’s ID and session number to each transaction. 


3. To record a transaction, Banner requires certain information (such as 
department number, account number, school term, amounts, etc.) to post 
the correct amounts to the correct accounts. We observed cashier attempts 
to complete transactions without required information; Banner would not 
allow the transactions to be completed without the information. 


4, We also observed AR management finalize the cashier sessions. We noted 
the finalization process does not include verifying the session totals have been 
reconciled. To ensure each session is correct and unauthorized activity does 
not take place, management relies on other manual controls. For example, 
MSU Business Services accounting staff not involved in AR transaction 
posting perform a daily manual reconciliation between bank accounts and 
Banner activity. 
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5. Audit work also identified the ability for AR management to create, enter 
transactions, close, and finalize their own cashier sessions. However, 
any unauthorized recorded transactions, whether a change, fee removal, 
or payment, would still be monitored through the above mentioned 
reconciliation. Additionally, a report of AR fee changes and removals is 
printed daily and distributed to three different MSU staff; one of which is 
not involved with AR transactions. 


6. Finally, we conducted testing to ensure cashier sessions must be closed and 
finalized prior to being posted to other Banner journals. We obtained a list 
of nonfinalized AR transactions, and then queried posted transactions in 
Banner to identify any nonfinalized transactions that may have posted; none 
were identified. 


Purchasing Payments 


‘The purchase and subsequent payment for goods and services obtained by MSU occurs 
within the Accounts Payable (AP) subsystem. MSU purchases are recorded through 
the following two methods: 


1. Direct Payment — For any purchase under $25,000, MSU departments will 
submit an approved invoice (as noted by a second signature) to AP staff in 
Business Services. AP staff manually enter the invoices as batches which 
are automatically assigned a batch number by Banner. ‘The batches are 
then reviewed and approved in Banner by AP management. Banner then 
automatically posts the transactions and prepares warrants. The warrants 
are transferred nightly to the State Accounting, Budgeting, and Human 
Resources System (SABHRS) which will print the outgoing checks. 


2. Bid Process — For any purchase over $25,000, an approved hard copy 
requisition (as noted by a second signature) is created and submitted 
to Purchasing staff who enter the requisition into Banner. Banner will 
automatically encumber (attach) the requesting department’s funds to the 
requisition. Then a Request For Proposal is created and released, bids are 
received, and the winning bid is approved by the initiating department. 
Subsequently, a purchase order (PO) or contract is created and approved. 
Creation of the PO automatically releases the encumbered funds allowing 
for payment. Once the item is received or services are rendered, the initiating 
department creates and approves a hard copy Banner Purchasing Award 
(BPA) based on the invoice from the vendor. The BPA is sent to AP where it 
follows the Direct Payment process described above. 


We reviewed controls for the Direct Payment method by observing the process from 
invoice entry through posting to the General Ledger AP account. We observed the 
processing of two invoice batches as follows: 


1. The AP data entry clerk signed into Banner to begin entering invoices. 


2. Invoice entry occurred based on hard copy invoice or BPA. Banner assigned 
a batch number when the first invoice was entered. Each batch was assigned 
a unique number. ‘The clerk also ensured account numbers existed on the 


invoices. We observed invoice entry without a department or account 
number; Banner would not allow completion of the invoice. 


3. Once all invoices for a batch were entered, the data entry clerk printed a 
Banner report of the batch details and manually ran an adding machine tape 
for the batch. The totals from the Banner report and the tape were compared 
to ensure all invoice entry amounts were correct. 


4, ‘The batch was set aside for AP management approval. 


At the end of the day, AP management ran a Banner report for all invoices 
and compared the total with a manually determined total from all invoice 
batches. The invoices were also reviewed to ensure each had required 
information (approving signatures, asset numbers, etc.). 


6. Once all totals matched, AP management approved the invoice batches, 
allowing Banner to post the transactions nightly to other Banner ledgers. To 
ensure Banner requires invoice transactions to be approved prior to posting 
to other ledgers, we queried Banner for nonapproved AP transactions and 
compared it to Banner posted AP transactions. Any matches would have 
indicated Banner allowed transactions to post without approval. No matches 
occurred. 


7. On the following day, we observed the approved batches had been posted in 
the General Ledger AP account. 


Other Finance Controls 


We reviewed other select Banner Finance controls to ensure they operated as 
management asserted: 


Encumbrances - When creating a requisition in Banner, the initiating 
department's funds are to be encumbered. Banner settings can be applied 
to require encumbrance based on requisition information. We reviewed the 
settings in Banner and confirmed they are in place for any requisition created 
in Banner. 


Complete Invoices - Full accounting and payment for purchases relies on 
invoices being complete in Banner. As noted in item two in our observation 
above, Banner would not allow an invoice to be processed without either the 
department or account number. 


Invoice Overpayments - When a payment is to be made on a PO, an 
invoice is created and Banner compares the invoice to the source PO. If the 
invoices dollar amount is higher than the purchase orders dollar amount, 
Banner’s delivered processing prevents payment of the invoice. To process 
the payment, either a new PO must be created or the invoices dollar amount 
must be decreased. However, Banner also has an option, based on each user, 
to bypass this delivered processing. MSU AP management asserted no user 
has access to allow these invoices to be processed. We obtained and reviewed 
Banner user access regarding invoice entry and determined no user has the 
ability to bypass Banner’s delivered processing. Furthermore, we observed 
AP personnel attempt to create and process invoices with dollar amounts 
higher than the originating POs, and Banner would not allow creation and 
processing of the invoices. 
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File Transfers - MSU sends four daily files to SABHRS. The files include 
transaction information from the Accounts Receivable and Accounts 
Payable subsystems, updates to the General Ledger, and student warrants 
(refunds). SABHRS staff ensures each file is received and processed and posts 
a report stating the file transfer and processing status. MSU also has log files 
indicating if there were any errors in the creation or delivery of the SABHRS 
files. MSU staff checks the reports daily to ensure the files were completely 
sent and received. We reviewed seven days of reports and confirmed the files 
completely and correctly transferred each day. 


Fixed Assets Management (FAM) - The FAM subsystem records asset 


information over $5,000 including initial asset information, depreciation 
calculations, and disposal. MSU fixed assets are recorded either through 
Banner's automated entry or by manual entry. To be entered automatically, a 
specific account number is assigned to the asset when the invoice is entered 
into the system. Manual entry of fixed assets generally centers on payments 
made as part of a larger asset. For example, when a new building is recorded, 
there may be more than one payment issued while the building is being 
constructed and each payment will have the same asset account code. FAM 
staff reviews Banner reports for payments made with the same asset account 
code and, if payments are all for the same asset, the value of the asset is 
assessed and entered into Banner. To ensure MSU fixed assets are entered 
into Banner, FAM management relies on both the entry of the asset account 
code from the invoice and AP management’s invoice entry review. We 
observed both the invoice entry and review and determined the fixed asset 
account numbers are included as part of invoice entry and reviews. 


Financial Aid Module 


Verification Rules 


As mentioned in Chapter II, U.S. Department of Education (DOE) regulations 
require student financial aid forms to be reviewed by universities to ensure students 
are completely and accurately filling out the forms. This process is called verification. 
MSU is rated as a “quality assurance” school by the DOE, allowing MSU to create its 
own verification rules. The rules are manually entered into Banner, and are submitted 
to the DOE for approval. To determine the verification rules in Banner for the 2009-10 
school year match those submitted to the DOE, we compared the rules submitted to 
DOE with the rules in Banner. The rules all matched. 


Eligibility 
Student financial aid eligibility is determined as a combination of three modules: 


1. Expected Family Contribution - amount stated on the financial aid form 
that the student and student’s parents (when applicable) are expected to 
contribute toward the students costs. 


2. Other Financial Resources - other known and expected financial resources 
the student will have available to assist them with educational costs such as 
scholarships and tuition waivers. 


3. Cost of Attendance (COA) - how much it will cost a student to attend MSU, 
depending on student status. 


To determine financial aid eligibility, Banner adds the expected family contribution 
and other financial resources and subtracts the COA, resulting in how much cost the 
student is responsible for (need). Banner then calculates and awards financial aid based 
on student need and available funding, and sends each student a letter stating results 
of financial aid eligibility and award processing. We reviewed the eligibility calculation 
and verified it is baseline functionality. 


a 
CONCLUSION 


Based on audit work, we conclude select Finance and Finical Aid processing 
controls function as MSU management intends. 
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Dear Ms. Hunthausen: 


Montana State University would like to thank the Legislative Audit Division 
for their time in auditing the Banner: Administrative Services System. We 
believe this audit was productive and helpful in ensuring the system is 
operating as intended. We look forward to working with you again during the 


next audit. 
Sincerely, 

Wade zado 
President 
WC/sm 


Office of the President 
211 Montana Hall 

P.O. Box 172420 

Bozeman, MT 59717-2420 
www. imontana.edu 


Tel (406) 994-2341 
Fax (406) 994.1893 
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MONTANA STATE UNIVERSITY 
Response to Legislative Audit Division Recommendations 
Banner: Administrative Services System 


Recommendation # 1 


We recommend Montana State University-Bozeman strengthen user access controls to ensure access is 
segregated per job duties and need. 


MSU concurs with the recommendation. 

MSU will clarify and strengthen its procedures for reviewing existing user access to ensure it is 
segregated per job duties, will review the updated procedures with appropriate staff and provide 
training as necessary. 


Recommendation # 2 


We recommend Montana State University-Bozeman strengthen controls over use of the generic code 
migration account to ensure increased individual accountability. 


MSU concurs with the recommendation. 
MSU will implement procedures to mandate that all users of the generic code migration account login to 


the Admin VPN prior to the generic account so that their activity is logged to ensure increased individual 
accountability. 


